Method and system for detecting wireless access devices operably coupled to computer local area networks and related methods

ABSTRACT

A system and method is provided for detecting wireless access devices coupled to local area network of computers. The method includes coupling a sniffer device to a local area network. The method includes transferring one or more packets to be directed to a selected device over the local area network. The selected device is preferably coupled to the local area network. The method includes intercepting the one or more packets to be directed to the selected device at the sniffer device. Moreover, the method includes deriving information from the intercepted one or more packets using the sniffer device. The method can generate one or more marker packets in a selected format using the sniffer device. The marker packets are provided based upon at least a portion of the information derived from the intercepted packets. The method includes transferring the one or more marker packets from the sniffer device over the local area network to the selected device and monitoring an airspace within a vicinity of the selected device using one or more sniffer devices

CROSS-REFERENCES TO RELATED APPLICATIONS

This present application claims priority to the U.S. ProvisionalApplication No. 60/543,631, titled “An Automated Method and an RF SensorSystem for Wireless Unauthorized Transmission, Intrusion Detection andPrevention,” filed on Feb. 11, 2004, and the U.S. ProvisionalApplication No. 60/607,897, titled “Automated method and system fordetecting unauthorized devices in wireless local area computernetworks”, filed on Sep. 8, 2004; commonly assigned, and each of whichis hereby incorporated by reference for all purposes.

The present invention also relates to U.S. application Ser. No.10/931,585, filed on Aug. 31, 2004 (Attorney Docket No. 022384-000620US)and U.S. application Ser. No. 10/931,926, filed on Aug. 31, 2004(Attorney Docket Number 022384-000610US); commonly assigned, and each ofwhich is hereby incorporated by reference for all purposes.

BACKGROUND OF THE INVENTION

The present invention relates generally to wireless computer networkingtechniques. In particular, the invention provides methods and systemsfor intrusion detection for local area networks with wirelessextensions. More particularly, the invention provides methods andsystems for testing connectivity of certain devices coupled to localarea networks for wireless transmission. The present intrusion detectioncan be applied to many computer networking environments, e.g.,environments based upon the IEEE 802.11 family of standards (WiFi),Ultra Wide Band (UWB), IEEE 802.16 (WiMAX), Bluetooth, and others.

Computer systems have proliferated from academic and specialized scienceapplications to day-to-day business, commerce, information distributionand home applications. Such systems can include personal computers (PCs)to large mainframe and server class computers. Powerful mainframe andserver class computers run specialized applications for banks, small andlarge companies, e-commerce vendors, and governments. Personal computerscan be found in many offices, homes, and even local coffee shops.

The computer systems located within a specific local geographic area(e.g., an office, building floor, building, home, or any other definedgeographic region (indoor and/or outdoor)) are typically interconnectedusing a Local Area Network (LAN) (e.g., the Ethernet). The LANs, inturn, can be interconnected with each other using a Wide Area Network(WAN) (e.g., the Internet). A conventional LAN can be deployed using anEthernet-based infrastructure comprising cables, hubs switches, andother elements.

Connection ports (e.g., Ethernet ports) can be used to couple multiplecomputer systems to the LAN. For example, a user can connect to the LANby physically attaching a computing device (e.g., a laptop, desktop, orhandheld computer) to one of the connection ports using physical wiresor cables. Other types of computer systems, such as database computers,server computers, routers, and Internet gateways, can be connected tothe LAN in a similar manner. Once physically connected to the LAN, avariety of services can be accessed (e.g., file transfer, remote login,email, WWW, database access, and voice over IP).

Using recent (and increasingly popular) wireless technologies, users cannow be wirelessly connected to the computer network. Thus, wirelesscommunication can provide wireless access to a LAN in the office, home,public hot-spot, and other geographical locations. The IEEE 802.11family of standards (WiFi) is a common standard for such wirelesscommunication. In WiFi, the 802.11b standard provides for wirelessconnectivity at speeds up to 11 Mbps in the 2.4 GHz radio frequencyspectrum; the 802.11g standard provides for even faster connectivity atabout 54 Mbps in the 2.4 GHz radio frequency spectrum; and the 802.11astandard provides for wireless connectivity at speeds up to 54 Mbps inthe 5 GHz radio frequency spectrum.

Advantageously, WiFi can facilitate a quick and effective way ofproviding a wireless extension to an existing LAN. To provide thiswireless extension, one or more WiFi access points (APs) can connect tothe connection ports either directly or through intermediate equipment,such as WiFi switch. After an AP is connected to a connection port, auser can access the LAN using a device (called a station) equipped withWiFi radio. The station can wirelessly communicate with the AP.

In the past, security of the computer network has focused on controllingaccess to the physical space where the LAN connection ports are located.The application of wireless communication to computer networking canintroduce additional security exposure. Specifically, the radio wavesthat are integral to wireless communication often cannot be contained inthe physical space bounded by physical structures, such as the walls ofa building.

Hence, wireless signals often “spill” outside the area of interest.Because of this spillage, unauthorized users, who could be using theirstations in a nearby street, parking lot, or building, could wirelesslyconnect to the AP and thus gain access to the LAN. Consequently,providing conventional security by controlling physical access to theconnection ports of the LAN would be inadequate.

To prevent unauthorized access to the LAN over WiFi, the AP can employcertain techniques. For example, in accordance with 802.11, a user iscurrently requested to carry out an authentication handshake with the AP(or a WiFi switch that resides between the AP and the existing LAN)before being able to connect to the LAN. Examples of such handshake areWireless Equivalent Privacy (WEP) based shared key authentication,802.1x based port access control, and 802.11i based authentication. TheAP can provide additional security measures such as encryption andfirewalls.

Despite these measures, security risks still exist. For example, anunauthorized AP may connect to the LAN and then, in turn, allowunauthorized users to connect to the LAN. These unauthorized users canthereby access proprietary/trade secret information on computer systemsconnected to the LAN without the knowledge of the owner of the LAN.Notably, even if the owner of the LAN enforces no WiFi policy (i.e., nowireless extension of the LAN allowed at all), the threat ofunauthorized APs still exists.

Therefore, a need arises for a system and technique that improvessecurity for LAN environments.

BRIEF SUMMARY OF THE INVENTION

According to the present invention, techniques related to wirelesscomputer networking are provided. In particular, the invention providesmethods and systems for intrusion detection for local area networks withwireless extensions. More particularly, the invention provides methodsand systems for testing connectivity of certain devices coupled to localarea networks for wireless transmission. In a specific embodiment, thepresent invention provides for detecting unauthorized wireless accesspoints that are coupled to the local area network. The present intrusiondetection can be applied to many computer networking environments, e.g.,environments based upon the IEEE 802.11 family of standards (WiFi),Ultra Wide Band (UWB), IEEE 802.16 (WiMAX), Bluetooth, and others.

The application of wireless communication to computer networking hasintroduced significant security risks according to certain examples. Forexample, the radio waves that are integral to wireless communication can“spill” outside a region within which local area computer network isoperated (e.g., office space, building, etc.). Unfortunately,unauthorized wireless devices can detect this “spillage”. Additionally,unauthorized wireless devices can surreptitiously operate within thelocal area network. These devices can pose serious security threats tothe network due to their signal spillage. Therefore, as computernetworks with wireless extensions become more ubiquitous, users areincreasingly concerned about unauthorized wireless devices, whetherwithin or outside the region of operation of the local area network.

In accordance with one aspect of the invention, a method is provided fordetecting wireless access devices coupled to local area network ofcomputers. The method includes coupling (e.g., directly connecting viaphysical connection or socket) a sniffer device to a local area network.The method includes transferring one or more packets to be directed to aselected device over the local area network. Preferably, transferring isprovided from a certain source device. The selected device is preferablycoupled to the local area network. The method includes intercepting theone or more packets to be directed to the selected device at the snifferdevice. Preferably, the step of intercepting occurs before the packetsreach the selected device. Moreover, the method includes derivinginformation from the intercepted one or more packets using the snifferdevice. The method can generate one or more packets in a selected formatusing the sniffer device. The generated one or more packets are providedbased upon at least a portion of the information derived from theintercepted packets. The method includes transferring the one or morepackets in the selected format from the sniffer device over the localarea network to the selected device, and also includes monitoring anairspace within a vicinity of the selected device using one or moresniffer devices.

In accordance with another aspect of the invention, sniffer device isprovided. The sniffer device can be provided at least in part incomputer hardware, firmware, software or combination thereof. Thesniffer device comprises a handler adapted to intercept one or morepackets on a network segment. Preferably, the one or more packets aredirected to be transferred to a selected device coupled to the networksegment. The sniffer device comprises a processor adapted to deriveinformation associated with the intercepted one or more packets.Moreover, the sniffer device includes a packet generator adapted togenerate one or more packets in a selected format. The generated one ormore packets are constructed based upon at least a portion of theinformation derived from the intercepted packets. The sniffer devicealso comprises an output handler adapted to transfer the one or morepackets in the selected format over the network segment to the selecteddevice.

Various other methods and systems are also provided throughout thepresent specification including a way for detecting wireless accessdevices coupled to computer local area networks.

Certain advantages and/or benefits may be achieved using the presentinvention. For example, the present technique provides an easy to useprocess that relies upon conventional computer hardware and softwaretechnologies. In some embodiments, the method and system are fullyautomated and can be used to prevent unauthorized wireless access tolocal area computer networks. The automated operation minimizes thehuman effort required during the system operation and improves thesystem response time and accuracy. In some embodiments, the method andsystem can advantageously reduce the false positives on intrusion eventsthereby eliminating the nuisance factor during the system operation.This is because the technique of the invention intelligentlydistinguishes between harmful APs and friendly neighbor's APs, thelatter usually being the source of false positives. Depending upon theembodiment, one or more of these benefits may be achieved. These andother benefits will be described in more throughout the presentspecification and more particularly below.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a simplified LAN architecture that can facilitateintrusion detection according to an embodiment of the present invention.

FIG. 2 illustrates an exemplary hardware diagram of a sniffer deviceaccording to an embodiment of the present invention.

FIG. 3 illustrates an exemplary security policy according to anembodiment of the present invention.

FIG. 4A illustrates a simplified method for detecting wireless accessdevices coupled to local area network according to an embodiment of thepresent invention.

FIG. 4B illustrates a simplified interconnection of network componentsaccording to an embodiment of the present invention.

FIG. 5 illustrates a simplified method for detecting connectivity ofwireless access points to local area network according to a specificembodiment of the present invention.

FIG. 6 illustrates a simplified method for short-listing suspected NATAPs according to a specific embodiment of the present invention.

FIG. 7 illustrates a simplified method for identifying NAT APs from MACaddress information in the packets over the wireless link according to aspecific embodiment of the present invention.

FIG. 8 illustrates a simplified functional diagram of a sniffer deviceaccording to an embodiment of the present invention.

DETAILED DESCRIPTION OF THE INVENTION

According to the present invention, techniques related to wirelesscomputer networking are provided. In particular, the invention providesmethods and systems for intrusion detection for local area networks withwireless extensions. More particularly, the invention provides methodsand systems for testing connectivity of certain devices coupled to localarea networks for wireless transmission. The present intrusion detectioncan be applied to many computer networking environments, e.g.,environments based upon the IEEE 802.11 family of standards (WiFi),Ultra Wide Band (UWB), IEEE 802.16 (WiMAX), Bluetooth, and others.

Conventional security of a computer network has focused on controllingaccess to the physical space where the local area network (LAN)connection ports are located. The application of wireless communicationto computer networking has introduced new security risks. Specifically,the radio waves that are integral to wireless communication often cannotbe contained within the physical boundaries of the region of operationof a local area network (e.g., an office space or a building). This“spillage” can be detected by unauthorized wireless devices outside theregion of operation. Additionally, unauthorized wireless devices can beoperating within the local area network, and can even be connected tothe local area network. The radio coverage of such devices that spillsoutside the region of operation can be used by devices outside theregion to gain unauthorized access to the local area network. Ascomputer networks with wireless extensions become more ubiquitous, usersare increasingly concerned about unauthorized wireless devices, whetherwithin or outside the region of operation of the local area network.

FIG. 1 illustrates a simplified local area network (LAN) 101 that canfacilitate security monitoring. This diagram is merely an example, whichshould not unduly limit the scope of the claims herein. One of ordinaryskill in the art would recognize many variations, modifications, andalternatives. In LAN 101, core transmission infrastructure 102 caninclude various transmission components, e.g., Ethernet cables, hubs,and switches. In a typical deployment, the core transmissioninfrastructure 102 can comprise one or more network segments.

According to one embodiment, a network segment refers to an InternetProtocol or IP “subnetwork” (called “subnet”). Each subnet is identifiedby a network number (e.g., IP number and subnet mask) and plurality ofsubnets are interconnected using router devices. In an alternativeembodiment, a network segment can refer to a virtual local area network(VLAN) segment and plurality of VLANs can be interconnected usingswitches (e.g., Ethernet switches). Other embodiments of networksegments are also possible. Notably, plurality of network segments ofLAN 101 can be geographically distributed (e.g., in offices of a companyin different geographic locations). The geographically distributedsegments can be interconnected using virtual private network (VPN).

One or more connection ports (e.g., Ethernet sockets) are provided oneach of the segments for connecting various computer systems to the LAN101. Thus, one or more end user devices 103 (such as desktop computers,notebook computers, telemetry sensors, etc.) can be connected to LAN 101via one or more connection ports 104 using wires (e.g., Ethernet cables)or other suitable connection means.

Other computer systems that provide specific functionalities andservices can also be connected to LAN 101. For example, one or moredatabase computers 105 (e.g., computers storing customer accounts,inventory, employee accounts, financial information, etc.) may beconnected to LAN 101 via one or more connection ports 108. Additionally,one or more server computers 106 (computers providing services, such asdatabase access, email storage, HTTP proxy service, DHCP service, SIPservice, authentication, network management, etc.) may be connected toLAN 101 via one or more connection ports 109.

In this embodiment, a router 107 can be connected to LAN 101 via aconnection port 110. Router 107 can act as a gateway between LAN 101 andthe Internet 111. Note that a firewall/VPN gateway 112 can be used toconnect router 107 to the Internet 111, thereby protecting computersystems in LAN 101 against hacking attacks from the Internet 111 as wellas enabling remote secure access to LAN 101.

In this embodiment, a wireless extension of LAN 101 is also provided.For example, authorized APs 113A and 113B can be connected to LAN 101via a switch 114. Switch 114 in turn can be connected to a connectionport 115. Switch 114 can assist APs 113A and 113B in performing certaincomplex procedures (e.g., procedures for authentication, encryption,QoS, mobility, firewall, etc.) as well as provide centralized managementfunctionality for APs 113A and 113B. Note that an authorized AP 116 canalso be directly connected to LAN 101 via a connection port 117. In thiscase, AP 116 may perform necessary security procedures (such asauthentication, encryption, firewall, etc.) itself.

In this configuration, one or more end user devices 118 (such as desktopcomputers, laptop computers, handheld computers, PDAs, etc.) equippedwith radio communication capability can wirelessly connect to LAN 101via authorized APs 113A, 113B, and 116. Notably, authorized APsconnected to the LAN 101 provide wireless connection points on the LAN.Note that WiFi or another type of wireless network format (e.g., UWB,WiMax, Bluetooth, etc.) can be used to provide the wireless protocols.

As shown in FIG. 1, an unauthorized AP 119 can also be connected to LAN101 using a connection port 120. Unauthorized AP 119 can be a maliciousAP, a misconfigured AP, or a soft AP. A malicious AP can be an APoperated by a person having physical access to the facility andconnected to LAN 101 without the permission of a network administrator.A misconfigured AP can be an AP allowable by the network administrator,but whose configuration parameters are, usually inadvertently,incorrectly configured. Note that an incorrect configuration can allowintruders to wirelessly connect to the misconfigured AP (and thus to LAN101). A soft AP typically refers to a WiFi-enabled computer systemconnected to a connection port, but also functioning as an AP under thecontrol of software. The software can be either deliberately run on thecomputer system or inadvertently run in the form of a virus program.Notably, the unauthorized APs create unauthorized wireless connectionpoints on the LAN.

Unauthorized AP 119 may pose any number of security risks. For example,unauthorized AP 119 may not employ the right security policies or maybypass security policy enforcing elements, e.g., switch 114. Moreover,an intruder, such as unauthorized station 126 can connect to LAN 101 andlaunch attacks through unauthorized AP 119 (e.g., using the radio signalspillage of the unauthorized AP outside the region of operation of theLAN).

In one embodiment, an AP (e.g., unauthorized AP 119) delivers datapackets between the wired LAN segment and the wireless medium. The APcan perform this function by acting as a NAT (i.e., network addresstranslator). The NAT AP acts as a layer 3 router that routes IP packetsreceived on its wired interface to the stations connected to itswireless interface and vice versa. The wired side and wireless sideinterfaces of the NAT AP are thus usually part of different subnets. TheNAT AP further performs translation of IP addresses and port numbers inthe packets before transferring them between the wired LAN segment andthe wireless medium. The NAT functionality is described in the ‘RFC3022’ specification of the Internet Engineering Task Force (IETF).

FIG. 1 also shows another unauthorized AP 121 whose radio coveragespills into the region of operation the concerned LAN. According to aspecific embodiment, the AP 121 can be an AP in the neighboring officethat is connected or unconnected to the neighbor's LAN, an AP on thepremises of LAN 101 that is not connected to the LAN 101 and other APs,which co-exist with the LAN and share the airspace without anysignificant and/or harmful interferences. According to another specificembodiment, the AP 121 can be hostile AP. Notably, even though notconnected to LAN 101, unauthorized AP 121 may lure authorized stationsinto communicating with it, thereby compromising their security. Thehostile AP may lure authorized wireless stations into connecting to itand launch man-in-the-middle, denial of service, MAC spoofing and otherkinds of disruptive attacks.

In accordance with one aspect of the invention, a security monitoringsystem can protect LAN 101 from unauthorized access (i.e., unauthorizedAP or unauthorized station). The intrusion detection system can includeone or more RF sensor/detection devices (e.g., sensor devices 122A and122B, each generically referenced herein as a sniffer 122) disposedwithin or in a vicinity of a selected geographic region comprising atleast a portion of LAN 101. In one embodiment (shown in FIG. 1), sniffer122 can be connected to LAN 101 via a connection port (e.g., connectionport 123A/123B). In another embodiment, sniffer 122 can be connected toLAN 101 using a wireless connection.

A sniffer 122 is able to monitor wireless activity in a subset of theselected geographic region. Wireless activity can include anytransmission of control, management, or data packets between an AP andone or more wireless stations, or among one or more wireless stations.Wireless activity can even include communication for establishing awireless connection between an AP and a wireless station (called“association”).

In general, sniffer 122 can listen to a radio channel and capturetransmissions on that channel. In one embodiment, sniffer 122 can cyclethrough multiple radio channels on which wireless communication couldtake place. On each radio channel, sniffer 122 can wait and listen forany ongoing transmission. In one embodiment, sniffer 122 can operate onmultiple radio channels simultaneously.

Whenever a transmission is detected, sniffer 122 can collect and recordthe relevant information about that transmission. This information caninclude all or a subset of information gathered from various fields in acaptured packet. Other information such as the size of the packet andday and time when the transmission was detected can also be recorded.

In one embodiment, the unauthorized AP (e.g., AP 119) uses encryption onthe wireless link. That is, it can allow a colluding client (e.g., suchas intruder 126) to connect to it. Additionally, the wirelesscommunication between the unauthorized AP and the colluding intruder canbe encrypted, making it difficult for sniffer 122 to decipher theinformation in the captured wireless activity associated with thiscommunication.

In one embodiment, sniffer 122 can be any suitable receiving devicecapable of detecting wireless activity. An exemplary hardware diagram ofthe sniffer is shown in FIG. 2. This diagram is merely an example, whichshould not unduly limit the scope of the claims herein. One of ordinaryskill in the art would recognize many variations, alternatives, andmodifications. As shown, in order to provide the desired detection andrecording functionality, sniffer 122 can have a central processing unit(CPU) 201, a flash memory 202 where the software code for snifferfunctionality resides, and a RAM 203 which serves as volatile memoryduring program execution. The sniffer 122 can have one or more 802.11wireless network interface cards (NICs) 204 which perform radio andwireless MAC layer functionality and one or more of dual-band (i.e., fortransmission detection in both the 2.4 GHz and 5 GHz radio frequencyspectrums) antennas 205 coupled to the wireless NICs. Each of thewireless NICs 204 can operate in a, b, g, b/g or a/b/g mode. Moreover,the sniffer 122 can have an Ethernet NIC 206 which performs Ethernetphysical and MAC layer functions, an Ethernet jack 207 such as RJ-45socket coupled to the Ethernet NIC for connecting the sniffer device towired LAN with optional power over Ethernet or POE, and a serial port208 which can be used to flash/configure/troubleshoot the snifferdevice. A power input 209 is also provided. One or more light emittingdiodes (LEDs) 210 can be provided on the sniffer device to convey visualindications (such as device working properly, error condition,unauthorized wireless device alert, and so on).

In one embodiment, sniffer 122 can be built using a hardware platformsimilar to that used to build an AP, although having differentfunctionality and software. In one embodiment, to more unobtrusively beincorporated in the defined geographic region, sniffer 122 could have asmall form factor. In one embodiment, a sniffer 122 could also beprovided with radio transmit interface, thereby allowing sniffer 122 togenerate interference with a suspected intruder's transmission. Theradio transmit interface could also be used by the sniffer 122 foractive probing which involves transmission of test signals.

A sniffer 122 can be spatially disposed at an appropriate location inthe selected geographic region by using heuristics, strategy, and/orcalculated guesses. In accordance with one aspect of the invention, anRF (radio frequency) planning tool can be used to determine an optimaldeployment location for sniffer 122.

Server 124 (also called “security appliance”) can be coupled to LAN 101using a connection port 125. In one embodiment, each sniffer 122 canconvey its information about detected wireless activity to server 124(i.e., over one or more computer networks). Server 124 can then analyzethat information, store the results of that analysis, and process theresults. In another embodiment, sniffer 122 may filter and/or summarizeits information before conveying it to server 124.

Sniffer 122 can also advantageously receive configuration informationfrom server 124. This configuration information can include, forexample, the operating system software code, the operation parameters(e.g., frequency spectrum and radio channels to be scanned), the typesof wireless activities to be detected, and the identity informationassociated with any authorized wireless device. Sniffer 122 may alsoreceive specific instructions from server 124, e.g., tuning to specificradio channel or detecting transmission of specific packet on a radiochannel.

According to an aspect of the present invention, the intrusion detectionsystem can classify the APs into three categories: authorized, rogue andexternal. An “authorized AP” refers to the AP allowed by the networkadministrator (e.g., APs 113A, 113B and 116), a “rogue AP” refers to theAP not allowed by the network administrator, but still connected to theLAN to be protected (e.g., AP 119), and an “external AP” refers to theAP not allowed by the network administrator, but not connected to theLAN to be protected (e.g., AP 121). For example, the external AP can beneighbor's AP connected to neighbor's network.

Advantageously, a security policy can be enforced using the foregoing APclassification. For example, wireless communication between anauthorized wireless station (e.g., stations 118) and the authorized APis to be permitted, according to a security policy. The wirelesscommunication between an unauthorized/neighbor's wireless station (e.g.,station 126) and the external AP is to be ignored, according to asecurity policy. Advantageously, the ignoring eliminates false alarmsregarding security policy violation and removes nuisance factor from theoperation of the intrusion detection system. All other wirelesscommunication (e.g., between an authorized/unauthorized/neighbor'swireless station and the rogue AP, between an authorized wirelessstation and the external AP, etc.) is to be denied, according to asecurity policy of an embodiment in the present invention.Advantageously, the denying helps protect the integrity of the LAN andthe authorized wireless stations. The aforementioned security policy isillustrated in FIG. 3. This diagram is merely an example, which shouldnot unduly limit the scope of the claims herein. One of ordinary skillin the art would recognize many variations, modifications, andalternatives.

In one embodiment, the invention provides a method for determining if aselected AP is coupled to the LAN. This can facilitate the foregoing APclassification. The method includes transferring one or more testpackets called ‘marker packets’ over the LAN to a selected device thatis suspected to be an AP. The marker packet can be a layer 2 packet, aTCP packet, a UDP packet, an ICMP packet, an ARP packet, or any otherpacket in IP or any other format. Preferably, marker packets haveselected format. In one embodiment, the marker packets can be ofselected one or more sizes. In another embodiment, the marker packetscan have selected bit pattern in them. In yet another embodiment, themarker packets have associated with them selected time instants relatedto their transferring over the LAN.

If the selected device is coupled to the LAN, it receives one or more ofthe marker packets. Further if it is an AP, it outputs at least a subsetof the received packets over the wireless medium, possibly after someprocessing and modification to the packets. Thus if a sniffer detectstransmission of one or more packets associated with the marker packetsfrom an AP over the wireless medium, said AP is inferred to be coupledto the LAN.

However, transferring marker packets over the LAN so that they can beoutput by the AP over the wireless medium is non-trivial usingconventional techniques. This is partly because the AP devices oftenimplement NAT functionality. A NAT AP can output packets from the wiredto wireless side only if the corresponding port mapping exits in the APdevice, else the AP discards the packets. In one embodiment, the portmapping is created when the client wireless station of the AP initiatesa communication session (e.g., TCP or UDP session) to some device (e.g.,web server, email server, database, another host, etc.) connected to thenetwork on the wired side of the NAT AP. Without the knowledge of thisport mapping, marker packets cannot be transferred to be output throughNAT APs.

In some embodiments, the AP devices can use encryption on the wirelesslink. For example, the unauthorized AP (e.g., AP 119) can use encryptionon the wireless link. That is, it can allow a colluding client (e.g.,such as intruder 126) to connect to it. Additionally, the wirelesscommunication between the unauthorized AP and the colluding intruder canbe encrypted, making it difficult for sniffer 122 to decipher theinformation in the captured wireless activity associated with thiscommunication. This makes it difficult for the sniffer to learn aboutthe port mapping as this information cannot be derived from the capturedencrypted wireless communication. Encryption on the wireless link alsomakes it difficult for the sniffer 122 to identify packets captured onthe wireless link as associated with marker packets.

In one embodiment, the present invention provides a method that canovercome the foregoing obstacles. This method 400 for detecting wirelessaccess devices coupled to a LAN is illustrated in FIG. 4A. This diagramis merely an example, which should not unduly limit the scope of theclaims herein. One of ordinary skill in the art would recognize manyvariations, alternatives, and modifications. The method 400 canadvantageously detect NAT APs coupled to LAN, even if the APs useencryption on wireless link.

As shown, step 402 can couple a sniffer device to a LAN. In oneembodiment (e.g., illustrated in FIG. 4B), the sniffer device isconnected to a network segment of the LAN to be protected fromunauthorized access. FIG. 4B illustrates a network segment of a LANformed using LAN switch 422. This diagram is merely an example, whichshould not unduly limit the scope of the claims herein. One of ordinaryskill in the art would recognize many variations, alternatives, andmodifications. As shown in FIG. 4B, the network segment can comprisecomputer systems 423A, 423B and 423C. Moreover, the network segment isshown to comprise a NAT AP 425. A sniffer 421 is shown connected to thisnetwork segment. In one embodiment, the sniffer can be connected usingwires (e.g., Ethernet connection). In another embodiment, the sniffercan be connected using wireless link (not shown). In yet anotherembodiment, a software directed to perform sniffer functionality can berun on one more of the computer systems (e.g., 423A, 423B, 423C etc.)connected to the network segment.

Step 404 can transfer one or more packets to be directed to a selecteddevice over the local area network, the selected device being coupled tothe local area network. As merely an example, in FIG. 4B the one or morepackets can be transferred from the computer system 423B to be directedto AP 425. In one embodiment, the ultimate destination of these packetscan be a wireless client 428.

Step 406 can intercept the one or more packets to be directed to theselected device at the sniffer device. In one embodiment, theintercepting comprises routing the one or more packets to be directed tothe selected device through the sniffer device. For example, as shown inFIG. 4B, packets 424A to be directed to AP 425 are intercepted at thesniffer 421. Step 408 can derive information from the intercepted one ormore packets using the sniffer device. In one embodiment, the derivedinformation comprises destination port type (TCP or UDP) and destinationport number in the intercepted packets. In one embodiment, the sniffercan transfer the intercepted one or more packets to the selectedwireless device (as shown by 424B) after deriving information from them.The selected wireless device can transfer these packets to theirdestination after possibly processing and modifying them (as shown by424C).

Step 410 can generate one or more packets in a selected format(generically called ‘marker packets’ throughout this specification)based upon at least a portion of the derived information using thesniffer. Preferably, the generated packets are of the same type (TCP orUDP) and destined to the same port number as inferred in step 408. Step410 can transfer the marker packets from the sniffer over the local areanetwork to the selected device. This is illustrated by 426A in exampleof FIG. 4B. In one embodiment, the selected format can comprise aselected size or a set of selected sizes. In another embodiment, theselected format can comprise a selected bit pattern or a set of selectedbit patterns. In yet another embodiment, the selected format cancomprise a set of time instants associated with packet generation, a setof time instants associated with packet transfer, etc.

Step 412 can monitor an airspace within a vicinity of the selecteddevice using one or more sniffer devices. In one embodiment (illustratedin FIG. 4B), the selected device is a wireless access device (e.g., NATAP 425). Since the marker packets 426A are destined to the port numberfor which a port mapping is inferred to exist in the AP 425 (e.g., instep 408), the AP 425 routes the packets 426A to the wireless link sothat they can be delivered to their destination (e.g., wireless client428) as shown by 426B. The packets 426B will often exhibit format (e.g.,size, bit pattern, time instant associated with start/end oftransmission, etc.) associated with the selected format of the markerpackets. At least one of the one or more sniffer devices (e.g., sniffer421 in FIG. 4B) can detect at least one of the packets 426B. This closesthe loop and the device 425 can be inferred to be a wireless accessdevice connected to the network segment. On the other hand, if theselected device is not a wireless access device (not shown in FIG. 4B),the marker packets 426A would not be routed to the wireless link.Notably, in one embodiment the sniffer device that transfers markerpackets in step 410 and the one that detects packets associated with themarker packets on wireless link in step 412 can be the same snifferdevice. In an alternative embodiment, the sniffer device that transfersmarker packets in step 410 and the one that detects packets associatedwith the marker packets on wireless link in step 412 can be differentsniffer devices (not shown in FIG. 4B).

In one embodiment of method 400, the sniffer device may not generate newmarker packets (e.g., as in step 408), rather use the interceptedpackets as marker packets. The sniffer can transfer the intercepted oneor more packets to the selected device after deriving format information(e.g., size, bit pattern, time instant associated with packet transferfrom the sniffer, etc.) from them, as shown by 424B in FIG. 4B. Step 412can then monitor the airspace and compare format information in thepackets detected on the wireless link with the format informationderived from the intercepted one or more packets in step 408. If theselected device is a wireless access device (e.g., NAT AP 425), themarker packets 424B will be routed to their destination (e.g., wirelessclient 428) as shown by 424C. The packets 424C on wireless link can bedetected by the sniffer device (e.g., sniffer 421).

The above sequence of steps provides method according to an embodimentof the present invention. As shown, the method uses a combination ofsteps including a way of detecting for an intrusion using wirelesscomputer networks. Of course, other alternatives can also be providedwhere steps are added, one or more steps are removed, or one or moresteps are provided in a different sequence without departing from thescope of the claims herein. Additionally, the various steps can beimplemented using a computer code or codes in software, firmware,hardware, or any combination of these. Depending upon the embodiment,there can be other variations, modifications, and alternatives.

The method 500 according to a specific embodiment of the method ofinvention is illustrated in FIG. 5. This diagram is merely an example,which should not unduly limit the scope of the claims herein. One ofordinary skill in the art would recognize many variations,modifications, and alternatives.

As shown, step 502 can discover a set of devices coupled to a selectednetwork segment of a local area network. In a specific embodiment, theIP numbers (i.e., IP addresses) and MAC addresses (e.g., Ethernetaddresses) of these devices are determined. In another specificembodiment, software tools such as “ettercap”, “nmap” and others can beused for this purpose. These tools can scan (for example, using ICMPping packets, TCP SYN packets, etc.) the IP addresses within the addressrange of the network segment to detect active IP addresses on thesegment. They can then perform ARP (Address Resolution Protocol asdescribed in ‘RFC 0826’ specification of the IETF) query to determinethe corresponding MAC addresses. In one embodiment, the tool softwarecan be run on the sniffer device that is connected to the networksegment.

Alternatively, the sniffer can capture (e.g., over the Ethernetconnection) and analyze the ARP transactions on the network segment toinfer the IP addresses of the devices attached to the segment. The ARPrequest is used by a requester device to query the MAC addresscorresponding to a given IP address and is a broadcast message on thenetwork segment. The ARP reply is sent to the requester by the devicethat owns the given IP address. The ARP reply is usually a unicastmessage to the requester and contains the MAC address of the responder.In one specific embodiment, the sniffer can capture ARP request packetson the network segment. The ARP request packet contains IP address ofthe requester. The sniffer can then issue the ARP query for this IPaddress and find out the corresponding MAC address.

Step 504 can shortlist the devices that are suspected to be NAT APs fromthe discovered set of devices. In one embodiment, NAT devices from thediscovered set are identified by conducting certain tests. For example,one or more IP packets are transferred (e.g., by the sniffer) to thenetwork segment with TTL (Time To Live) value in IP header set equal to1 and the response is monitored. In a specific embodiment, the IP packetis addressed to arbitrary IP address and is transferred to the networksegment as Ethernet broadcast packet (e.g., Ethernet destination addressof hexadecimal FF:FF:FF:FF:FF:FF). Preferably, the NAT devices reply tothis packet via ICMP “Time Exceeded” message. While host devices (e.g.,PCs/laptops running Microsoft windows, Linux, etc.) and server devices(e.g., mail server, WWW server, file transfer server, etc.) do not sendany response.

In an alternative embodiment to identify NAT devices, one or more IPpackets addressed to a selected IP address (e.g., among the discoveredlist in step 502) and a selected UDP port is transferred by the snifferto the LAN segment and the response is monitored. Preferably, theselected UDP port number is chosen to be from the range that is nottypically used by UDP based applications (e.g., greater than 61,000).Preferably, the NAT device (i.e., with the selected IP address) does notsend any ICMP reply to this packet. While the other devices (i.e., withthe selected IP address) respond with ICMP “Destination Unreachable”message.

In yet an alternative embodiment to identify NAT devices, one or more IPpackets addressed to a selected IP address (other than that of aselected victim device) are transferred by the sniffer over the LANsegment to the selected victim device (e.g., to the MAC address of theselected victim device). Preferably, if the selected victim device is aNAT device, it forwards these packets to their appropriate IPdestination. If not, it simply discards the packets. Thus, the arrivalor otherwise of these packet at their correct IP destination canindicate if the victim device is a NAT device or not.

In yet a further alternative embodiment, the information received duringthe DHCP (Dynamic Host Configuration Protocol described in ‘RFC 2131’ ofthe IETF) transactions is used for the shortlisting of the suspected NATAP devices. In a specific embodiment, the sniffer obtains IP address foritself by issuing DHCP query, and in response, receives IP address andconfiguration parameters (e.g., IP addresses of one or more gatewayrouters). Notably, the gateway routers can also often provide NATfunctionality. Since preferably APs are not gateway routers, this testhelps identifying NAT devices in the discovered set that are most likelynot AP devices.

In another alternative embodiment, the sniffer prepares a list of MACaddresses of one or more APs discovered from the packets captured on thewireless medium (e.g., from the source MAC addresses found in capturedbeacon packets). It then looks for MAC addresses in the discovered set(e.g., in step 502) that are within a small margin (e.g., plus or minus1, plus or minus 2, etc.) of at least one of the MAC addressesdiscovered on the wireless medium. If such MAC addresses are found inthe discovered set, the corresponding devices can be added to the set ofsuspected NAP APs. This is because preferably the AP equipmentmanufacturers often configure MAC addresses on the wireless interface(e.g., WiFi NIC) and the wired interface (e.g., Ethernet NIC) that arewithin a small margin of each other. In another embodiment, the sniffercompares vendor information derived from the MAC addresses (e.g., fromthe three bytes in the MAC address that often contain vendoridentification number) to determine suspected APs among the discoveredset (e.g., in step 502). In one preferred embodiment, both the wirelessand wired NICs on an AP device are provided by the same vendor. Inanother preferred embodiment, only a known set of vendors provides(i.e., sells in the market) the AP equipment.

Step 506 can perform “ARP poisoning” directed to one or more devices(called “victim devices”) detected on the network segment (e.g., in step502). Preferably, victim devices are chosen from the shortlisted (e.g.,as in step 504) set of devices. This can advantageously spare from ARPpoisoning the devices connected to the network segment that are mostlikely not the NAT AP devices. The ARP poisoning involves sending ARPreply (usually unsolicited) from the sniffer advertising the sniffer'sown MAC address as associated with the victim device's IP address. Inone embodiment, the ARP reply is addressed to a broadcast address on thenetwork segment. In an alternative embodiment, the ARP reply is unicastto each of the devices detected on the network segment, except thevictim device. Other techniques to perform ARP poisoning can also beused. The sniffer can ARP poison one or more victims devices at anygiven time.

As a result of ARP poisoning, the devices connected to the networksegment register the association between the victim device's IP addressand the sniffer's MAC address. Consequently, when any device on thenetwork segment wants to transfer IP packet to the victim device's IPaddress, it forwards it to the sniffer's MAC address and thus sniffergets the packet first. The sniffer captures this packet and recordsinformation associated with the packet. This is illustrated in step 508.

In one embodiment, the recorded information can include the value ofdestination port in the UDP/TCP header of the packet. This value can beindicative of the port number in the victim device for which a portmapping entry has been created by the client wireless station. That is,if packets are sent to this port number on the victim device, the victimdevice is able to route them over the wireless link to the clientwireless station. In another embodiment, size of the packet can berecorded. In yet an alternative embodiment, other contents in the packetheader and payload can be recorded.

The sniffer can relay this packet to the victim device's MAC address,which is its legitimate destination on the network segment. If thevictim device is indeed a NAT AP and if the packet is destined to aclient wireless station connected to this NAT AP, the victim device canthen route this packet to the client wireless station using the portmapping information available in the victim device. In one embodiment,the sniffer fragments (e.g., as in IP packet fragmentation described in‘RFC 0791’ specification of the IETF) the victim's packets and forwardsone or more fragments to the victim device after storing informationassociated with the fragments. The fragmentation preferably rendersspecific characteristics (e.g., sizes) to fragments for ease of theirlater identification. Additionally, the fragment sizes can be chosenfrom a predetermined set. This enables a sniffer to identify a markerpacket on the wireless medium, which is intercepted (e.g., after ARPpoisoning) and forwarded by another sniffer.

As shown in step 510, the sniffer can generate one or more markerpackets and transfer these packets on the network segment to the victimdevice. The information recorded from the earlier captured victimdevice's packet (e.g., as in step 508) can be used in generating thesemarker packets. In one embodiment, the marker packets can be generatedaddressed to UDP/TCP port inferred from the earlier captured packet.Preferably, whenever the sniffer switches to a new radio channel formonitoring wireless activity, one or more marker packets are generatedand transferred to the victim device. This advantageously increases thechance of detecting packets associated with the marker packets on thewireless medium. These marker packets will be received by the victimdevice, and if it is a NAT AP, will be routed by the victim device onthe wireless medium to their destination using the port mappinginformation available in the victim device.

Notably, in a specific embodiment, the UDP/TCP marker packets generatedby the sniffer contain null payload. In another specific embodiment, theTCP header and payload in the marker packets generated by the sniffercan be the same as those in the earlier captured packet. In yet anotherspecific embodiment, UDP/TCP packets are generated with a non-nullpayload but with an incorrect value of the CRC or Cyclic RedundancyChecksum (e.g., in the UDP or TCP checksum field), so that eventuallythey will be rejected by the recipient device (e.g., client wirelessstation). Techniques such as these can advantageously avoid confusing ordisrupting the UDP/TCP application on the client wireless station due tothe packets generated by the sniffer. In one embodiment, the sniffer cangenerate packets having sizes selected from a predetermined set of sizesfor ease of their later identification. This can also enable a snifferto identify marker packets on the wireless medium, which are generatedby other sniffers. Other embodiments of packet generation are possibleand will be apparent to those skilled in the art.

As shown in step 512, the sniffer can monitor wireless transmissions andidentify marker packets. In one embodiment, the characteristics(content, header values, sizes, etc.) of packets detected by the snifferover the wireless medium are examined. The examination reveals if anypacket or a fragment of a packet earlier transferred by the sniffer oranother sniffer to the network segment has appeared on the wirelessmedium. If the match is detected, the AP that transmits said packet orfragment on the wireless link is inferred to be connected to the LANsegment.

In one embodiment, once the AP is inferred to be connected to the LANsegment, subsequent tests for connectivity can be done using methodssuch as querying the AP over the LAN segment. For example, ARP requestsare periodically sent (e.g., by the sniffer) to the AP's IP address. Aslong as the AP responds to these requests, it is inferred to beconnected to the LAN segment. In one embodiment, when no response isreceived, the AP is inferred to be disconnected from the LAN segment.

The above sequence of steps provides method according to an embodimentof the present invention. As shown, the method uses a combination ofsteps including a way of detecting connectivity of NAT AP devices towireless computer networks. Of course, other alternatives can also beprovided where steps are added, one or more steps are removed, or one ormore steps are provided in a different sequence without departing fromthe scope of the claims herein. Additionally, the various steps can beimplemented using a computer code or codes in software, firmware,hardware, or any combination of these. Depending upon the embodiment,there can be other variations, modifications, and alternatives.

The method 600 for shortlisting suspected NAT APs according to aspecific embodiment of the method of invention is illustrated in FIG. 6.This diagram is merely an example, which should not unduly limit thescope of the claims herein. One of ordinary skill in the art wouldrecognize many variations, modifications, and alternatives. This method600 can be used for step 504. The steps in method 600 are as follows.

Step 602 can transfer, over a selected network segment, one or more IPpackets each with TTL filed value of 1 and arbitrary IP destinationaddress. Preferably, the packets are sent to a MAC broadcast address ofthe network segment. Step 604 can record identities of devices thatrespond with ‘ICMP Time Exceeded’ message. In one embodiment, theidentities can include MAC and/or IP addresses of the devices. Let ‘S’denote a set of such devices. In one embodiment, the set ‘S’ includesNAT and router devices connected to the network segment.

Step 606 can transfer one or more IP packets over the network segment toeach device in the set ‘S’. In one embodiment, these are UDP packetsaddressed to some high number (e.g., 60,000) UDP port. Step 608 candetermine a subset of ‘S’ (denoted by ‘S1’) that do not respond with‘Destination Unreachable’ message. Preferably, the set ‘S1’ includes NATdevices connected to the network segment. In one embodiment, themessages in steps 602 and 606 are sent from the Ethernet interface of asniffer device that is connected to the network segment. The responsesin steps 604 and 608 can be monitored by the same sniffer or differentsniffer.

Step 610 can determine based on DHCP information, which devices in theset ‘S1’ are potentially AP devices. For example, the DHCP responseoften includes identities of gateway routers that are connected to thenetwork segment. Gateway routers can often implement NAT functionality;however gateway routers preferably are not AP devices.

Step 612 can prioritize the potential AP devices in the set ‘S1’ for ARPpoisoning. In one embodiment, a sniffer can prepare a list of MACaddresses of one or more APs discovered from the packets captured on thewireless medium (e.g., from the source MAC addresses found in capturedbeacon packets). It then looks for MAC addresses among the potential APdevices in set ‘S1’ that are within a small margin (e.g., plus or minus1, plus or minus 2, etc.) of at least one of the MAC addressesdiscovered on the wireless medium. If such MAC addresses are found inthe discovered set, the corresponding devices can be prioritized for ARPpoisoning. This is because preferably the AP equipment manufacturersoften configure MAC addresses on the wireless interface (e.g., WiFi NIC)and the wired interface (e.g., Ethernet NIC) that are within a smallmargin of each other. In another embodiment, the sniffer compares vendorinformation derived from the MAC addresses (e.g., from the three bytesin the MAC address that often contain vendor identification number) toprioritize the potential AP devices for ARP poisoning. In one preferredembodiment, both the wireless and wired NICs on an AP device areprovided by the same vendor. In another preferred embodiment, only aknown set of vendors provides (i.e., sells in the market) the APequipment.

The above sequence of steps provides method according to an embodimentof the present invention. As shown, the method uses a combination ofsteps including a way of shortlisting NAT AP devices coupled to localarea network segment. Of course, other alternatives can also be providedwhere steps are added, one or more steps are removed, or one or moresteps are provided in a different sequence without departing from thescope of the claims herein. Additionally, the various steps can beimplemented using a computer code or codes in software, firmware,hardware, or any combination of these. Depending upon the embodiment,there can be other variations, modifications, and alternatives.

In one embodiment of the invention, presence of NAT AP in the LAN isinferred by monitoring specific wireless activity associated with theAPs. This embodiment can infer whether an AP is a NAT AP by analyzingMAC addresses in data packets over the wireless medium transmitted by ordestined to the AP. For example, the source (destination) MAC address ina data packet (e.g., 802.11 data frame) transmitted over the wirelessmedium by a NAT AP (to a NAT AP) is always equal to the BSSID of the AP.On the other hand, the source (destination) MAC address in a data packettransmitted over the wireless medium by a layer 2 bridge AP (to layer 2bridge AP) is often different from the BSSID of the AP. The method 700according to this embodiment is illustrated in FIG. 7. This diagram ismerely an example, which should not unduly limit the scope of the claimsherein. One of ordinary skill in the art would recognize manyvariations, modifications, and alternatives. For example, this methodcan be used to determine if NAT APs are present in the LAN beforeperforming other connectivity tests.

As shown, step 702 can capture a data packet over wireless mediumtransmitted by (destined to) a selected AP. Step 704 can record a sourceMAC address (destination MAC address) in the packet. Step 706 can recordthe BSSID value in the packet. For example, BSSID is the value in thetransmitter address (receiver address) field of the captured packet. Thesource MAC address (destination MAC address) value is compared with theBSSID value in step 708. If the two values are not equal to each other,in step 710 the AP is inferred to be a layer 2 bridge type AP.

If the two values are equal to each other, in step 712 the AP isinferred to be a potential NAT AP. In a preferred embodiment, if athreshold number of packets indicate that the AP is a potential NAT AP,said AP is inferred to be a NAT AP. In an alternative preferredembodiment, if a threshold number of packets each associated with adifferent client wireless station communicating with the AP indicatethat the AP is a potential NAT AP, said AP is inferred to be a NAT AP.

The above sequence of steps provides method according to an embodimentof the present invention. As shown, the method uses a combination ofsteps including a way of detecting NAT AP devices present in a localarea network. Of course, other alternatives can also be provided wheresteps are added, one or more steps are removed, or one or more steps areprovided in a different sequence without departing from the scope of theclaims herein. Additionally, the various steps can be implemented usinga computer code or codes in software, firmware, hardware, or anycombination of these. Depending upon the embodiment, there can be othervariations, modifications, and alternatives.

FIG. 8 illustrates a simplified functional diagram of a sniffer deviceaccording to an embodiment of the present invention. As shown, thesniffer device comprises a handler 802, a processor 804, a packetgenerator 806 and an output handler 808. Each of these can be providedat least in part in one or more computer codes. The handler 802 isadapted to intercept one or more packets on a network segment.Preferably, the one or more packets are directed to be transferred to aselected device coupled to the network segment. In one embodiment, thehandler intercepts the one or more packets using the Ethernet networkinterface (e.g., Ethernet NIC 206). In another embodiment, the handlerintercepts the one or more packets using the wireless network interface(e.g., WiFi NIC 204). In one embodiment, the handler includes ARPpoisoning function (e.g., as in step 506). In another embodiment, thehandler includes short-listing function (e.g., as described in step 504,method 600, etc.).

The processor 804 is adapted to derive information associated with theintercepted one or more packets (e.g., as in step 408, step 508, etc.).The packet generator 806 is adapted to generate one or more packets in aselected format based upon at least a portion of the derived information(e.g., as in step 410, step 510, etc.). The output handler 808 isadapted to transfer the one or more packets in the selected format overthe network segment to the selected device. In one embodiment, theoutput handler transfers the one or more packets in the selected formatusing the Ethernet network interface. In another embodiment, the outputhandler transfers the one or more packets in the selected format usingthe wireless network interface.

As shown, the sniffer device can also comprise a wireless activitydetector 810, which is adapted to monitoring wireless activity within anairspace to identify one or more packets associated with the one or morepackets in the selected format. In one embodiment, the wireless activitydetector can capture packets over the wireless medium, derive formatinformation from them and compare the derived format information withthe selected format information in the generated and transferred one ormore packets. The wireless activity detector can be provided at least inpart in one or more computer codes and the wireless activity detectorcan monitor the wireless activity using wireless radio receiver.

The various embodiments of the present invention may be implemented aspart of a computer system. The computer system may include a computer,an input device, a display unit, and an interface, for example, foraccessing the Internet. The computer may include a microprocessor. Themicroprocessor may be connected to a data bus. The computer may alsoinclude a memory. The memory may include Random Access Memory (RAM) andRead Only Memory (ROM). The computer system may further include astorage device, which may be a hard disk drive or a removable storagedrive such as a floppy disk drive, optical disk drive, jump drive andthe like. The storage device can also be other similar means for loadingcomputer programs or other instructions into the computer system.

As used herein, the term ‘computer’ may include any processor-based ormicroprocessor-based system including systems using microcontrollers,digital signal processors (DSP), reduced instruction set circuits(RISC), application specific integrated circuits (ASICs), logiccircuits, and any other circuit or processor capable of executing thefunctions described herein. The above examples are exemplary only, andare thus not intended to limit in any way the definition and/or meaningof the term ‘computer’. The computer system executes a set ofinstructions that are stored in one or more storage elements, in orderto process input data. The storage elements may also hold data or otherinformation as desired or needed. The storage element may be in the formof an information source or a physical memory element within theprocessing machine.

The set of instructions may include various commands that instruct theprocessing machine to perform specific operations such as the processesof the various embodiments of the invention. The set of instructions maybe in the form of a software program. The software may be in variousforms such as system software or application software. Further, thesoftware may be in the form of a collection of separate programs, aprogram module within a larger program or a portion of a program module.The software also may include modular programming in the form ofobject-oriented programming. The processing of input data by theprocessing machine may be in response to user commands, or in responseto results of previous processing, or in response to a request made byanother processing machine.

As used herein, the terms ‘software’ and ‘firmware’ are interchangeable,and include any computer program stored in memory for execution by acomputer, including RAM memory, ROM memory, EPROM memory, EEPROM memory,and non-volatile RAM (NVRAM) memory. The above memory types areexemplary only, and are thus not limiting as to the types of memoryusable for storage of a computer program.

Although specific embodiments of the present invention have beendescribed, it will be understood by those of skill in the art that thereare other embodiments that are equivalent to the described embodiments.Accordingly, it is to be understood that the invention is not to belimited by the specific illustrated embodiments, but only by the scopeof the appended claims.

1. A method for detecting wireless access devices coupled to local areanetwork of computers, the method comprising: coupling a sniffer deviceto a local area network; transferring one or more packets to be directedto a selected device over the local area network, the selected devicebeing coupled to the local area network; intercepting the one or morepackets to be directed to the selected device at the sniffer device;deriving information from the intercepted one or more packets using thesniffer device; generating one or more packets in a selected formatbased upon at least a portion of the derived information using thesniffer device; transferring the one or more packets in the selectedformat from the sniffer device over the local area network to theselected device; monitoring an airspace within a vicinity of theselected device using one or more sniffer devices.
 2. The method ofclaim 1 further comprising detecting one or more packets associated withthe one or more packets in the selected format in the airspace using atleast one of the one or more sniffer devices if the selected device is awireless access device.
 3. The method of claim 1 further comprisingoutputting one or more packets associated with the one or more packetsin the selected format using the selected device into the airspacewithin the vicinity of the selected device if the selected device is awireless access device.
 4. The method of claim 1 wherein theintercepting comprises routing the one or more packets to be directed tothe selected device through the sniffer device.
 5. The method of claim 1wherein the intercepting comprises Address Resolution Protocol (ARP)poisoning, the ARP poisoning associating an IP address of the selecteddevice with a MAC address of the sniffer device.
 6. The method of claim1 wherein the deriving information comprises identifying a destinationport number in the intercepted packets and recording the destinationport number in one or more computer memories.
 7. The method of claim 6wherein the one or more packets in the selected format are TransmissionControl Protocol (TCP) packets destined to the recorded destination portnumber.
 8. The method of claim 6 wherein the one or more packets in theselected format are User Datagram Protocol (UDP) packets destined to therecorded destination port number.
 9. The method of claim 1 wherein theselected format comprises a selected bit pattern in a packet.
 10. Themethod of claim 1 wherein the selected format comprises a selected sizeof a packet.
 11. The method of claim 1 wherein the selected formatcomprises a set of selected sizes associated with a set of one or morepackets.
 12. The method of claim 1 wherein the selected format comprisesa set of selected bit patterns associated with a set of one or morepackets.
 13. The method of claim 1 wherein the selected format comprisesa set of time instants associated with a set of packets.
 14. The methodof claim 13 wherein the set of time instants is associated with thetransferring the one or more packets from the sniffer device to theselected device.
 15. The method of claim 1 wherein the sniffer device isprovided in a computer system, a wireless access point, a networkdevice, or a stand alone device.
 16. Sniffer device comprising: ahandler adapted to intercept one or more packets on a network segment,the one or more packets being directed to be transferred to a selecteddevice coupled to the network segment; a processor adapted to deriveinformation associated with the intercepted one or more packets; apacket generator adapted to generate one or more packets in a selectedformat based upon at least a portion of the derived information; anoutput handler adapted to transfer the one or more packets in theselected format over the network segment to the selected device.
 17. Thesniffer device of claim 16 further comprising a wireless activitydetector adapted to monitoring wireless activity within an airspace toidentify one or more packets associated with the one or more packets inthe selected format.
 18. The sniffer device of claim 16 wherein thehandler, the processor, the packet generator, and the output handler areprovided at least partly in one or more computer codes.
 19. The snifferdevice of claim 16 wherein the handler intercepts the one or morepackets using the Ethernet network interface.
 20. The sniffer device ofclaim 16 wherein the output handler transfers the one or more packets inthe selected format using the Ethernet network interface.
 21. Thesniffer device of claim 17 wherein the wireless activity detector isprovided at least in part in one or more computer codes and the wirelessactivity detector monitors the wireless activity using wireless radioreceiver.
 22. The sniffer device of claim 16 wherein the output handlertransfers the one or more packets in the selected format using thewireless network interface.
 23. The sniffer device of claim 16 whereinthe handler intercepts the one or more packets using the wirelessnetwork interface.
 24. A method for detecting wireless access devicescoupled to local area network of computers, the method comprising:coupling a sniffer device to a local area network; transferring one ormore packets to be directed to a selected device over the local areanetwork, the selected device being coupled to the local area network;intercepting the one or more packets to be directed to the selecteddevice at the sniffer device; deriving format information from theintercepted one or more packets using the sniffer device; transferringthe intercepted one or more packets from the sniffer device over thelocal area network to the selected device; monitoring an airspace withina vicinity of the selected device using one or more sniffer devices. 25.The method of claim 24 further comprising detecting one or more packetsassociated with the one or more intercepted packets in the airspaceusing at least one of the one or more sniffer devices if the selecteddevice is a wireless access device.
 26. The method of claim 25 whereinthe detecting comprising comparing format information associated withone or more packets in the airspace with the derived format informationfrom the intercepted one or more packets.
 27. The method of claim 24further comprising outputting one or more packets associated with theone or more intercepted packets using the selected device into theairspace within the vicinity of the selected device if the selecteddevice is a wireless access device.